Re: Ethernet Tap

[Matt Kettler <mkettler () evi-inc com>]

At 11:13 AM 4/15/2004, Altrock, Jens wrote:
> I am searching for a possibility of constructing an ethernet tap, but not
> like the one found on the snort website
> where I need to attach two network cards to inspect the whole traffic, but
> one using one port for a full
> duplex line. Is that possible and does anyone have some links concerning
> this topic? Would be nice.

In short, you can't do such a bi-directonal tap into a single ethenet port 
in a simple way. Such a tap cannot be done in a passive manner and must be 
a buffered system with memory, and have a lot of electronics.. It would be 
much cheaper to spend the money on a manageable switch with span port 
capability.


Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec 
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that 
just by soldering a few wires together.

The simple cheap passive tap is simple and cheap because it relies on the 
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port 
pretty easily. So you just dump the inbound into one port, the outbound 
into another. Poof, instant passive tap, but it requires 2 ethernet cards.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users